Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Online password manager service OneLogin reported on May 31 that it was the victim of a data breach that exposed its users and their data to risk.

Initially the company provided few details, other than disclosing the fact that there was an unauthorized access to OneLogin customer data. Late on June 1, the company provided more details, revealing that attackers had infiltrated OneLogin's cloud backend and had unfettered access for seven hours prior to being detected.

OneLogin is using Amazon Web Services (AWS) as its cloud provider and at approximately 2 am PST on May 31, a hacker was somehow able to use OneLogin's AWS credentials. OneLogin's AWS keys were used by the attacker from a smaller, unidentified service provider in the U.S, that was able to create new virtual server instances to get visibility and perform reconnaissance into OneLogin's operations.

"OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it," Alvaro Hoyos,Chief Information Security Officer at OneLogin wrote in a blog post. "The threat actor was able to access database tables that contain information about users, apps, and various types of keys."

Further reading

Hoyos added that it's also possible the attacker was able to get the information needed to also be able to decrypt user data.

This isn't the first time OneLogin has reported a data breach. In August 2016 the company reported a breach in the company's Secure Notes service. In that incident the root cause was identified as a bug in the platform that enabled attackers to view notes before they were encrypted.

Possible Threat Vectors

At this point, it's unclear how the attacker was able to get access to OneLogin's AWS credentials or why it took the company seven hours to detect the unauthorized access.

There are a number of potential vectors by which an attacker could have breached OneLogin's security. In many attacks, some form of directed, spear-phishing email is often found to be a root cause. In such a scenario, an attacker sends a fake phishing email to a privileged account holder and then gets the victim to click or log into a service, which then steals the user's credentials.

With AWS in particular though, there are other potential threat vectors that can place unsuspecting organizations at risk. An April 2017 study from security vendor Threat Stack, found that 73 percent of AWS users were leaving the Secure SHell (SSH) service open to the public internet on their cloud instances. SSH is commonly used to remotely administer a server instance.

The Threat Stack study also found that not all AWS users were using Amazon's CloudTrail auditing service in all zones. CloudTrail can be used by organizations to identify potentially unauthorized access and account anomalies.

However the attacker was able to get access to OneLogin's AWS credentials, the bottom line is the attack should serve as a wake up call for all organizations to revisit and harden their cloud access credentials and monitoring policies.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.